This Health Insurance Portability and Accountability Act (“HIPAA”) Business Associate Agreement (“Agreement”) is entered into by and between MYCENSUSPRO (us or we) and the user (affiliates, "you", "your", "user", ”Facility”, “Home” or "Customer"), hereafter referred to as the Covered Entity (“CE”) and the customer, hereafter referred to as the Business Associate (“Associate”). BY ENROLLING IN, USING, OR PAYING FOR MYCENSUSPRO SYSTEM AND SERVICES, YOU AGREE TO THE PRICES, CHARGES, TERMS AND CONDITIONS IN THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE PRICES, CHARGES, TERMS AND CONDITIONS, DO NOT USE THE SERVICES, AND CANCEL THE SERVICES IMMEDIATELY BY CALLING MYCENSUSPRO AT THE PHONE NUMBER LISTED AT OUR WEBSITE FOR FURTHER DIRECTIONS.

1. CE is itself a business associate of one or more covered entities, and Business Associate is a subcontractor of CE for purposes of CE’s business associate relationships with those covered entities. While CE is not itself a covered entity under HIPAA, it stands in the shoes of the covered entities it works with in executing this subcontractor Agreement with Business Associate. A copy of CE’s HIPAA business associate agreements with these covered entities are attached hereto as Exhibit A, and Business Associate agrees that it will comply with any standards present in those agreements that apply to business associates, as applicable to Business Associate’s services to CE.
2. CE wishes to disclose certain information (“Information”) to Associate pursuant to the terms of the Agreement, some of which may constitute Protected Health Information (“PHI”) or Electronic Protected Health Information (“EPHI”).
3. CE and Associate intend to protect the privacy and provide for the security of any PHI and EPHI disclosed to Associate pursuant to the Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) and regulations promulgated thereunder by the U.S. Department of Health and Human Services including, but not limited to, Title 45, Section 164.504(e) of the Code of Federal Regulations, as the same may be amended from time to time (the “HIPAA Regulations”); and as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and any regulations that may be promulgated thereunder, from time to time (the “HITECH Regulations”); the Privacy Rule amendments outlined in the American Recovery and Reinvestment Act (“ARRA”);the Patient Protection and Affordable Care Act (“PPACA”), as well as any other applicable state or federal laws (hereinafter, HIPAA, the HIPAA Regulations, HITECH, the HITECH Regulations, ARRA and PPACA are collectively referred to as the “HIPAA Laws”).
4. The purpose of this Agreement is to satisfy certain standards and requirements of the HIPAA Laws. In consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the parties agree as follows:

HIPAA Rules – shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

Covered Entity – shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103.

Business Associate – shall generally have the same meaning as the term “business associate” at 45 CFR 160.103.

Protected Health Information (“PHI”) – Means any information, whether oral or recorded in any form or medium:

A. that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual, and

B. that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, and shall have the meaning given to such term under HIPAA and the HIPAA Regulations.

Electronic Protected Health Information (“EPHI”) – Means any PHI transmitted in electronic format.

Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use – as used in this Agreement shall have the same meaning as those terms in the HIPAA Rules.

1. Compliance with HIPAA’s Security Rule and the HITECH Act’s Privacy Provisions – Associate must comply with HIPAA’s Security Rule and the HITECH Act’s Privacy Provisions. Pursuant to this obligation, Associate must, at a minimum, perform a risk analysis, periodically reassess and update security protections and implement reasonable and appropriate security policies and procedures.

A. When carrying out a HIPAA obligation of CE, Associate must comply with the HIPAA Privacy Rule to the same extent as CE would be required to.

2. Permitted Uses and Disclosures – Associate may use and/or disclose PHI/EPHI received by Associate pursuant to this Agreement (“CE’s PHI”) solely in accordance with the specifications set forth in this agreement and in accordance with 45 CFR 164.502 (e) (1) (iii) and 45 CFR 164.38 (b) (2), which can be modified at any time if agreed upon by both parties.

A. Associate may use PHI received by Associate in its capacity as a Business Associate of CE for the proper management and administration of Associate, if such disclosure is necessary (i) for the proper management and administration of Associate or (ii) to carry out the legal responsibilities of Associate.

B. Associate may disclose PHI received by Associate in its capacity as a Business Associate of CE for the proper management and administration of Associate if (i) the disclosure is required by law or (ii) Associate (a) obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person and (b) the person notifies Associate of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.

C. For purposes of this Section, “Data Aggregation” means, with respect to CE’s PHI, the combining of such PHI by Associate with the PHI received by Associate in its capacity as a Business Associate of another CE to permit data analyses that relate to the health care operations of the respective Covered Entities. Associate shall provide Data Aggregation services relating to the health care operations of CE.

D. Associate agrees to make uses and disclosures and requests for PHI consistent with CE’s minimum necessary policies and procedures.

3. Nondisclosure – Associate shall not use or further disclose CE’s PHI otherwise than as permitted or required by this Agreement or as required by law. Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by CE.

A. To the extent Associate is to carry out one or more of CE’s obligation(s) under Subpart E of 45 CFR Part 164, Associate must comply with the requirements of Subpart E that apply to CE in the performance of such obligation(s), except for the specific uses and disclosures set forth in this Agreement.

4. Safeguards – Associate shall use appropriate safeguards and comply with Subpart C of 45 CFR Part 162 with regard to EPHI to prevent use or disclosure of CE’s PHI otherwise than as provided for by this Agreement. Associate shall maintain a comprehensive written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Associate’s operations and the nature and scope of its activities. Associate shall also maintain a written Identity Theft Prevention Program.

5. Subcontractors – In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.

6. Notification of Breach – During the term of this Agreement, Associate shall notify CE within twenty-four (24) hours of any suspected or actual breach of security, intrusion or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. Such notice shall identify the nature of the breach, including (i) a description of what happened; (ii) the date of the breach and (iii) specific elements of PHI that were subject to the breach. Associate shall take (i) prompt corrective action to cure any such deficiencies and (ii) any action pertaining to such unauthorized disclosure required by applicable federal and state laws and regulations. Associate shall also report a pattern of material breach of PHI by a subcontractor, pursuant to 45 CFR 164.504 (e)(1)(ii).

7. Associate’s Agents – Associate shall ensure that any agents, including subcontractors, to whom it provides PHI received from (or created or received by Associate on behalf of) CE agree to the same restrictions, conditions and requirements that apply to Associate with respect to such PHI.

8. Availability of Information to CE – Associate shall make available to CE such information as CE may require to fulfill CE’s obligations to provide access to, provide a copy of, and account for disclosures with respect to PHI pursuant to the HIPAA Laws as necessary to satisfy CE obligations under 45 CFR 164.528 Associate shall make PHI available for CE in a designated record in accordance with 45 CFR 164.504 and 164.524.

9. Amendment of PHI – Associate shall make CE’s PHI available to CE as CE may require to fulfill CE’s obligations to amend PHI pursuant to the HIPAA Laws and Associate shall, as directed by CE, incorporate any amendments to CE’s PHI into copies of such PHI maintained by Associate pursuant to 45 CFR 164.526 or take other measures as necessary to satisfy CE’s obligations under 45 CFR 164.526.

A. Where CE receives a request for inspection and/or copying of PHI, which is created and maintained by BA, CE’s Privacy Officer will pass the Request for Inspection and Copying to BA and BA is responsible for fulfilling the request, as appropriate. CE’s log should be updated accordingly.

10. Internal Practices – Associate shall make its internal practices, books and records relating to the use and disclosure of PHI received from CE (or created or received by Associate on behalf of CE) available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Associate’s compliance with the HIPAA Laws.

11. De-identification – Associate is expressly prohibited from de-identifying PHI as defined in 45 CFR 164.514.

To the best of our ability:

1. CE shall notify Associate of any limitation(s) in the notice of privacy practices of CE under 45 CFR 164.520, to the extent that such limitation may affect Associate’s use or disclosure of PHI.

2. CE shall notify Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect Associate’s use or disclosure of PHI.

3. CE shall notify Associate of any restriction on the use or disclosure of PHI that CE has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Associate’s use or disclosure of PHI.

4. CE shall be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Associate pursuant to this Agreement, in accordance with the standards and requirements of the HIPAA Laws, until such PHI is received by Associate.

5. CE shall not request Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by CE, except where Associate will use or disclose PHI for data aggregation or management and administration and legal responsibilities of Associate.

From time to time upon reasonable notice, upon a reasonable determination by CE that Associate has breached this Agreement, CE may inspect systems, books and records of Associate to monitor compliance with this Agreement. Associate shall promptly remedy any violation of any term of this Agreement and shall certify the same to CE in writing. The fact that CE inspects, or fails to inspect, or has the right to inspect, Associate’s systems and procedures does not relieve Associate of its responsibility to comply with this Agreement, nor does CE’s (i) failure to detect or (ii) detection, but failure to notify Associate or require Associate’s remediation of any unsatisfactory practices constitute acceptance of such practice or a waiver of CE’s enforcement rights under this Agreement Associate may elect to retain and compensate an independent third-party to conduct a privacy audit in lieu of inspection by CE. Selection of a particular independent third-party is subject to CE’s approval. Associate agrees, under such circumstances, to comply with the independent auditor’s findings and to provide CE with both a copy of the independent auditor’s written audit report as well as proof that Associate has, subsequently, remedied the breach of this Agreement.

1. Term and Termination. The term of this Agreement shall be effective immediately, and shall terminate when all of the PHI provided by CE to Associate, or created or received by Associate on behalf of CE is destroyed or returned to CE, or, if it is infeasible to return or destroy the PHI, protections are extended to such PHI in accordance with the termination provisions in this section.

2. Termination for Cause. If either party knows of a pattern of activity or practice of the other party that constitutes a material breach or violation of this Agreement, then the non-breaching party shall either:

A. Provide an opportunity for the other party to cure the breach or end the violation and terminate this Agreement if the other party does not cure the breach or end the violation within the time specified;

B. Immediately terminate this Agreement if the other party has breached a material term of this Agreement and cure is not possible; or

C. If neither termination nor cure is feasible, the non-breaching party shall report the violation to the Secretary. Material Breach shall include Associate’s improper use or disclosure of PHI and any changes or any diminution of Associate’s reported security procedures or safeguards that render any or all of Associate’s safeguards unsatisfactory to CE, in CE’s sole discretion. A material breach shall provide grounds for immediate termination of the Agreement by CE.

3. Reasonable Steps to Cure Breach – If CE knows of a pattern of activity or practice of Associate that constitutes a material breach or violation of the Associate’s obligations under the provisions of this Agreement or another arrangement and does not terminate this Agreement, then CE shall take reasonable steps to cure such breach or end such violation, as applicable. If CE’s efforts to cure such breach or end such violation are unsuccessful, CE shall either (i) terminate this Agreement, if feasible or (ii) if termination of this Agreement is not feasible, CE shall report Associate’s breach or violation to the Secretary of the Department of Health and Human Services.

4. Judicial or Administrative Proceedings – Either party may terminate this Agreement, effective immediately, if (i) the other party is named as a defendant in a criminal proceeding for a violation of the HIPAA Laws or (ii) a finding or stipulation that the other party has violated any standard or requirement of the HIPAA Laws or other security or privacy laws is made in any administrative or civil proceeding in which the party has been joined.

5. Effect of Termination – Upon termination of this Agreement for any reason, Associate shall return and destroy all PHI received from CE (or created or received by Associate on behalf of CE) that Associate still maintains in any form, and shall retain no copies of such PHI or, if return or destruction is not feasible, it shall continue to extend the protections of this Agreement to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible.

6. Obligations of Business Associate Upon Termination - Upon termination of this Agreement for any reason, Associate, with respect to PHI received from CE, or created, maintained, or received by Associate on behalf of CE, shall:

A. Retain only that PHI which is necessary for Associate to continue its proper management and administration or to carry out its legal responsibilities;

B. Return to CE [or, if agreed to by covered entity, destroy] the remaining PHI that the Associate still maintains in any form;

C. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to EPHI to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as Associate retains the PHI;

D. Not use or disclose the PHI retained by Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out forth above, which applied prior to termination; and

E. Return to CE [or, if agreed to by CE, destroy] the PHI retained by Associate when it is no longer needed by Associate for its proper management and administration or to carry out its legal responsibilities.

In addition, upon termination, Associate shall either obtain or ensure the destruction of PHI created, received, or maintained by subcontractors.

7. Survival – The obligations of Associate under this Section shall survive the termination of this Agreement.

Each party will indemnify, hold harmless and defend the other party to this Agreement and its respective employees, directors, officers, subcontractors, agents and affiliates from and against any and all claims, actions, damages, losses, liabilities, costs, fines, penalties and other expenses incurred (including, without limitation, reasonable attorneys’ fees), arising from or in connection with any breach of this Agreement, or any negligent or wrongful acts or omissions in connection with this Agreement, caused by the party or by its employees, directors, officers, subcontractors or agents.

CE makes no warranty or representation that compliance by Associate with this Agreement, the HIPAA Laws will be adequate or satisfactory for Associate’s own purposes or that any information in Associate’s possession or control, or transmitted or received by Associate, is or will be secure from unauthorized use or disclosure. Associate is solely responsible for all decisions made by Associate regarding the safeguarding of PHI.

To the extent that CE determines that such examination is necessary to comply with CE’s legal obligations pursuant to the HIPAA Laws relating to certification of its security practices, CE or its authorized agents or contractors, may, at CE’s expense, examine Associate’s facilities systems, procedures and records as may be necessary for such agents or contractors to certify to CE the extent to which Associate’s security safeguards comply with the HIPAA Laws or this Agreement. Associate may elect to retain an independent third-party to conduct a privacy audit in lieu of inspection by CE or its authorized agents or contractors. Associate’s selection of an independent third-party is subject to CE’s approval. CE and Associate agree to equally share the expense incurred in hiring such independent third-party.

1. Covered Entity – CE and Associate agree that both CE and Associate are required to comply as “covered entities” under the HIPAA Laws and the obligations of this Agreement are intended to apply mutually to both CE and Associate.

2. Agreement to Comply with Law - The parties acknowledge that applicable state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of the HIPAA Laws and other applicable laws relating to the security or confidentiality of PHI. The parties understand and agree that CE must receive satisfactory written assurance from Associate that Associate will adequately safeguard all PHI that it receives or creates pursuant to this Agreement. Upon CE’s request, Associate agrees to promptly to enter into negotiations with CE concerning the terms of an amendment to this Agreement embodying written assurances consistent with the standards and requirements of the HIPAA Laws or other applicable laws. CE may terminate this Agreement upon thirty (30) days written notice in the event:

A. Associate does not promptly enter into negotiations to amend this Agreement when requested by CE pursuant to this Section; or

B. Associate does not enter into an amendment to this Agreement providing assurances regarding the safeguarding of PHI that CE, in its sole discretion, deems sufficient to satisfy the standards and requirements of the HIPAA Laws.

Associate shall make itself, and any subcontractors, employees or agents assisting Associate in the performance of its obligations under this Agreement, available to CE, at no cost to CE, to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against CE, its directors, officers or employees based upon claimed violation of the HIPAA Laws or other laws relating to security and privacy, except where Associate or its subcontractor, employee or agent is a named adverse party.

Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than CE, Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.

If any court of competent jurisdiction holds any provisions of this Agreement in violation of any applicable law, the remaining provisions shall be enforced and remain in full force and effect to the extent they are not unlawful or are unenforceable.

This Agreement contains the entire understanding of the parties with respect to the subject matter hereof and supersedes all prior agreements, oral or written, and all other communications between the parties relating to such subject matter. This Agreement shall be interpreted as broadly as necessary to implement and comply with the Privacy and Security laws, rules and regulations as well as applicable state laws. The parties agree that any ambiguity in the Agreement shall be resolved in favor of a meaning that complies and is consistent with the Privacy and Security laws, rules and regulations.

This Agreement shall be governed by and construed in accordance with the laws of the State of New Jersey, without giving effect to the conflict of law principles thereof. The Superior Court of New Jersey, Mercer County, shall have exclusive jurisdiction over any such disputes, except those that may be subject to fee arbitration under the Rules of the Court. In the event of any litigation arising out of this Agreement, each party unconditionally and irrevocably waives the right to a jury trial.

1. Regulatory References – A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

2. Amendment – The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the Privacy and Security laws, rules and regulations and any other applicable federal and/or state law. This Agreement may only be amended in a writing signed by CE and Associate; however, this Agreement must be amended to conform to any applicable regulatory changes or amendments to the Privacy and Security laws, rules and regulations.